From 975f383c2a607e19620a7503f12afaf6a4f943f8 Mon Sep 17 00:00:00 2001
From: Arsalan Shah <manactric@gmail.com>
Date: Thu, 22 Jul 2021 14:12:40 +0500
Subject: [PATCH] Non friend may able to add comment to friend photo only
 [huntr.dev] #1979

---
 components/OssnPhotos/ossn_com.php | 33 ++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/components/OssnPhotos/ossn_com.php b/components/OssnPhotos/ossn_com.php
index 883f0f81f..34b7f353b 100644
--- a/components/OssnPhotos/ossn_com.php
+++ b/components/OssnPhotos/ossn_com.php
@@ -84,11 +84,44 @@ function ossn_photos_initialize(){
 						'parent' => 'links',
 						'icon'   => $icon,
 				));
+				//Non friend may able to add comment to friend photo only [huntr.dev] #1979
+				ossn_register_callback('comment', 'before:created', 'ossn_photos_comment_permission_check');
 		}
 		//gallery plugin dist include
 		ossn_new_external_js('jquery.fancybox.min.js', '//cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.7/jquery.fancybox.min.js', false);
 		ossn_new_external_css('jquery.fancybox.min.css', '//cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.7/jquery.fancybox.min.css', false);
 }
+/**
+ * Comment photos check before comment
+ *
+ * @param string $callback comment
+ * @param string $type  before:created
+ * @param array  $params option values
+ *
+ * @access private
+ */
+function ossn_photos_comment_permission_check($callback, $type, $params){
+		if(isset($params['type']) && $params['type'] == 'entity'){
+				if(isset($params['entity']) && isset($params['entity']->subtype) && $params['entity']->subtype == 'file:ossn:aphoto'){
+						$album = ossn_get_object($params['entity']->owner_guid);
+						if($album && $album->subtype == 'ossn:album'){
+								$user          = new OssnUser();
+								$loggedin_guid = ossn_loggedin_user()->guid;
+								if($album->access == OSSN_FRIENDS && !$user->isFriend($album->owner_guid, $loggedin_guid)){
+										if(!ossn_is_xhr()){
+												redirect(REF);
+										} else {
+												header('Content-Type: application/json');
+												echo json_encode(array(
+														'process' => 0,
+												));
+												exit();
+										}
+								}
+						}
+				}
+		}
+}
 /**
  * Delete user photos
  * OssnPhotos still exists when user delete #1142